I'm pretty new to powershell. Not sure what I'm doing wrong here. Trying to export all of one user's AD groups to a CSV. I know it's a bit hard coded but just trying to do something simple.
Import-Module ActiveDirectory
$UserName = “pball“
$ReportPath = “C:\Input\EricsStuff\userADgroups.csv“
Get-ADPrincipalGroupMembership $Username | select name, groupcategory, groupscope | export-CSV C:\Input\EricsStuff\userADgroups.csv
# Export to :
# C:\Input\EricsStuff\userADgroups.csv
Specifically the Error is :
Get-ADPrincipalGroupMembership : An unspecified error has occurred
At C:\Input\EricsStuff\ExportUserGroups.ps1:7 char:1
Get-ADPrincipalGroupMembership $Username | select name, groupcategory ...
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
CategoryInfo : NotSpecified: (pball:ADPrincipal) [Get-ADPrincipalGroupMembership], ADException
FullyQualifiedErrorId : ActiveDirectoryServer:0,Microsoft.ActiveDirectory.Management.Commands.GetADPrincipalGroupMemb
ership
CodePudding user response:
As you might have seen, there are many posts over the internet mentioning recurring issues with Get-ADPrincipalGroupMembership.
If you want to see a user's membership, the easiest way is to look at the user's MemberOf Active Directory attribute but since you're looking to get:
NameGroupScopeGroupCategory
This would require to query each group using Get-ADGroup. There are 2 alternatives I can think of, the first one is using LDADFilter to search for groups where the user's DistinguishedName is a member (in other words, where the user's DN is part of the group's Member attribute):
$UserName = "pball"
$ReportPath = "C:\Input\EricsStuff\userADgroups.csv"
$userDN = (Get-ADUser $UserName).DistinguishedName
Get-ADGroup -LDAPFilter "(member=$userDN)" |
Select-Object Name, GroupCategory, GroupScope |
Export-CSV $ReportPath
The problem with this approach is that you will only get the groups where user is a member of on the current Domain. If the user is member of groups that exist on a different Domain, this code will not display them.
Another alternative if you need to query all groups (on the current Domain and on other Domains) that the user is member of is to loop over the MemberOf property. This code has been tested and it works for me but can't tell for sure if it's going to work for you (most likely the regex to get the Domain's DistinguishedName can be improved but I'm bad with that).
$UserName = "pball"
$ReportPath = "C:\Input\EricsStuff\userADgroups.csv"
$membership = (Get-ADUser $UserName -Properties MemberOf).MemberOf
$membership | Group-Object { ($_ -split '(?=DC=)',2)[1] } | ForEach-Object {
[adsi]$ldap = 'LDAP://{0}' -f $_.Name
[string]$domain = $ldap.Name
foreach($group in $_.Group)
{
Get-ADGroup $group -Server $domain
}
} |
Select-Object Name, GroupCategory, GroupScope |
Export-CSV $ReportPath